| Message ID | 20210125104442.135899-1-stephan@gerhold.net (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 70041000450d0a071bf9931d634c8e2820340236 |
| Headers | show |
| Series | [v2] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup | expand |
On 25/01/2021 10:44, Stephan Gerhold wrote: > The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real > DAI ID, not an index into v->dai_driver. Looking it up again seems > entirely redundant. > > For IPQ806x (and SC7180 since commit 09a4f6f5d21c > ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is > now often an out-of-bounds read because the indexes in the "dai_driver" > array no longer match the actual DAI ID. > > Cc: Srinivasa Rao Mandadapu <srivasam@codeaurora.org> > Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver") > Signed-off-by: Stephan Gerhold <stephan@gerhold.net> Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> > --- > Changes in v2: > - Extracted from https://lore.kernel.org/alsa-devel/20210114094615.58191-2-stephan@gerhold.net/ > - Change commit message to clarify that this is usually not just > redundant now but actually a broken out-of-bounds lookup. > --- > sound/soc/qcom/lpass-lpaif-reg.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/sound/soc/qcom/lpass-lpaif-reg.h b/sound/soc/qcom/lpass-lpaif-reg.h > index 405542832e99..baf72f124ea9 100644 > --- a/sound/soc/qcom/lpass-lpaif-reg.h > +++ b/sound/soc/qcom/lpass-lpaif-reg.h > @@ -133,7 +133,7 @@ > #define LPAIF_WRDMAPERCNT_REG(v, chan) LPAIF_WRDMA_REG_ADDR(v, 0x14, (chan)) > > #define LPAIF_INTFDMA_REG(v, chan, reg, dai_id) \ > - ((v->dai_driver[dai_id].id == LPASS_DP_RX) ? \ > + ((dai_id == LPASS_DP_RX) ? \ > LPAIF_HDMI_RDMA##reg##_REG(v, chan) : \ > LPAIF_RDMA##reg##_REG(v, chan)) > >
On Mon, 25 Jan 2021 11:44:42 +0100, Stephan Gerhold wrote: > The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real > DAI ID, not an index into v->dai_driver. Looking it up again seems > entirely redundant. > > For IPQ806x (and SC7180 since commit 09a4f6f5d21c > ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is > now often an out-of-bounds read because the indexes in the "dai_driver" > array no longer match the actual DAI ID. Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound.git for-next Thanks! [1/1] ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup commit: 70041000450d0a071bf9931d634c8e2820340236 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/sound/soc/qcom/lpass-lpaif-reg.h b/sound/soc/qcom/lpass-lpaif-reg.h index 405542832e99..baf72f124ea9 100644 --- a/sound/soc/qcom/lpass-lpaif-reg.h +++ b/sound/soc/qcom/lpass-lpaif-reg.h @@ -133,7 +133,7 @@ #define LPAIF_WRDMAPERCNT_REG(v, chan) LPAIF_WRDMA_REG_ADDR(v, 0x14, (chan)) #define LPAIF_INTFDMA_REG(v, chan, reg, dai_id) \ - ((v->dai_driver[dai_id].id == LPASS_DP_RX) ? \ + ((dai_id == LPASS_DP_RX) ? \ LPAIF_HDMI_RDMA##reg##_REG(v, chan) : \ LPAIF_RDMA##reg##_REG(v, chan))
The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real DAI ID, not an index into v->dai_driver. Looking it up again seems entirely redundant. For IPQ806x (and SC7180 since commit 09a4f6f5d21c ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is now often an out-of-bounds read because the indexes in the "dai_driver" array no longer match the actual DAI ID. Cc: Srinivasa Rao Mandadapu <srivasam@codeaurora.org> Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver") Signed-off-by: Stephan Gerhold <stephan@gerhold.net> --- Changes in v2: - Extracted from https://lore.kernel.org/alsa-devel/20210114094615.58191-2-stephan@gerhold.net/ - Change commit message to clarify that this is usually not just redundant now but actually a broken out-of-bounds lookup. --- sound/soc/qcom/lpass-lpaif-reg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)